Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of February 2018

New Detection Technique – Adobe Flash 0 day

A new vulnerability in Adobe Flash software was publicly announced at the beginning of February, after identification by the Korean CERT team. It allows Remote Code Execution via a corrupted Flash object.

The first campaign exploiting this vulnerability used a known RAT called ROKRAT. It starts with a malicious Excel file, which could be either distributed by email or downloaded from compromised web sites. It contains a malicious SWF file exploiting CVE-2018-4878. It connects to a compromised web server and downloads additional shellcode, which is loaded in memory and executed.

After confirmation that it is an intended victim, the ROKRAT payload is downloaded and installed.

We've added IDS signatures and the following correlation rule to detect this activity:

Pzchao is the name of a highly specialized espionage campaign. It is a possible return of the Iron Tiger attackers, who are thought to be located in China. Unusually, in addition to typical espionage, the attackers also seem to be concerned with direct commercial gain.

Pzchao malware has targeted notable institutions in government, telecommunications, technology, and education sectors, mainly focused in the USA and Asia. The initial point of compromise is normally spearphishing messages containing a malicious VBS file attachment. This file acts as a downloader for further malicious payloads. At each stage of the communication, new malicious files are downloaded, spreading the spy and administration capabilities. Different servers are accessed at each step, identified with hostnames like 'up.pzchao[.]com'.

Even though the tools used in this attack are a few years old, they are robust and suitable to be used in the future with small modifications. The complexity of the servers network and the amount of information gathered so far have turned this campaign into an extremely powerful tool that is very difficult to identify. The C&C rotation of the trojan's lifecycle helps evade detection at the network level as well.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, up.pzchao

New Detection Technique – Kimsuky

Kimsuky is an APT campaign first identified in 2013. Kimsuky were observed executing a number of attacks in 2014 against organisations in South Korea and those researching North Korea. After a long hiatus, threats from Kimsuky have been observed again, including in possible espionage attacks relating to the Winter Olympics.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, Kimsuky

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

Elise is a custom-built malware toolkit used in APT campaigns during the operation known as Lotus Blossom that started in mid-2015. It includes features such as sandboxing detection and data exfiltration, so it's been considered an espionage software.

Now iDefense analysts team reported that Lotus Blossom have created and distributed a new variant of Elise malware. This latest campaign targeted members of the ASEAN Defense Minister's Meeting (ADMM). This new initial compromise is contained in a Word document, as an OLE object, exploiting CVE-2017-11882.